You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by James Reeves <ja...@hybridfour.com> on 2006/05/05 11:23:13 UTC

Possible c14n bugs

Hi,

I think I've discovered two bugs in the c14n methods of XML Security. 
Your site recommends bringing up bugs on the mailing list first (a 
sensible precaution!), so I'll detail my findings here and see if anyone 
can confirm if these bug is valid. I'm using the Java 1.3 version of XML 
Security.

The first potential problem is that XML security doesn't appear to order 
namespace attributes in the same manner as the W3C spec. The W3C c14n 
spec gives an example here: http://www.w3.org/TR/xml-c14n#Example-SETags

In the W3C example, it transforms this tag:

    <e5 a:attr="out" b:attr="sorted" attr2="all" attr="I'm"
       xmlns:b="http://www.ietf.org"
       xmlns:a="http://www.w3.org"
       xmlns="http://example.org"/>

Into this (ignore the word-wrapping - it's all one line):

    <e5 xmlns="http://example.org" xmlns:a="http://www.w3.org" 
xmlns:b="http://www.ietf.org" attr="I'm" attr2="all" b:attr="sorted" 
a:attr="out"></e5>

I tried the same test using the XMLUtils.outputDOMc14nWithComments 
method, and it returned this result (again, ignore the word-wrapping):

    <e5 a:attr="out" attr="I'm" attr2="all" b:attr="sorted" 
xmlns="http://example.org" xmlns:a="http:
//www.w3.org" xmlns:b="http://www.ietf.org"></e5>

The second problem is that in the spec, empty xmlns attributes are 
removed. Thus, this original tag:

    <e6 xmlns="" xmlns:a="http://www.w3.org">

Becomes this, when c14n'd:

    <e6 xmlns:a="http://www.w3.org">

The XMLUtils.outputDOMc14nWithComments method does not remove the 
redundant xmlns attribute:

    <e6 xmlns="" xmlns:a="http://www.w3.org">

The code I used to obtain all of this output is attached.

--
James Reeves
http://www.hybridfour.com

Re: Possible c14n bugs

Posted by Raul Benito <ra...@apache.org>.

Don't worry, Anyway thanks for caring....

Regards,

On 5/5/06, James Reeves <ja...@hybridfour.com> wrote:
> Raul Benito wrote:
> > can you test again with this change?
>
> Aha! You're correct; setting namespaceAware to true solves the problem
> completely.
>
> Apologies for the false alarm. In hindsight it seems all too obvious.
>
> --
> James Reeves
> http://www.hybridfour.com
>
>


--
http://r-bg.com

Re: Possible c14n bugs

Posted by James Reeves <ja...@hybridfour.com>.

Raul Benito wrote:
> can you test again with this change?

Aha! You're correct; setting namespaceAware to true solves the problem 
completely.

Apologies for the false alarm. In hindsight it seems all too obvious.

--
James Reeves
http://www.hybridfour.com

Re: Possible c14n bugs

Posted by Raul Benito <ra...@apache.org>.

It looks really weird to me.

Perhaps the documentBuilder is not namespace aware...

See javadoc for DocumentBuilder...

setNamespaceAware

public void setNamespaceAware(boolean awareness)

    Specifies that the parser produced by this code will provide
support for XML namespaces. By default the value of this is set to
false

    Parameters:
        awareness - true if the parser produced will provide support
for XML namespaces; false otherwise.


can you test again with this change?

Regards,


On 5/5/06, James Reeves <ja...@hybridfour.com> wrote:
> Hi,
>
> I think I've discovered two bugs in the c14n methods of XML Security.
> Your site recommends bringing up bugs on the mailing list first (a
> sensible precaution!), so I'll detail my findings here and see if anyone
> can confirm if these bug is valid. I'm using the Java 1.3 version of XML
> Security.
>
> The first potential problem is that XML security doesn't appear to order
> namespace attributes in the same manner as the W3C spec. The W3C c14n
> spec gives an example here: http://www.w3.org/TR/xml-c14n#Example-SETags
>
> In the W3C example, it transforms this tag:
>
>     <e5 a:attr="out" b:attr="sorted" attr2="all" attr="I'm"
>        xmlns:b="http://www.ietf.org"
>        xmlns:a="http://www.w3.org"
>        xmlns="http://example.org"/>
>
> Into this (ignore the word-wrapping - it's all one line):
>
>     <e5 xmlns="http://example.org" xmlns:a="http://www.w3.org"
> xmlns:b="http://www.ietf.org" attr="I'm" attr2="all" b:attr="sorted"
> a:attr="out"></e5>
>
> I tried the same test using the XMLUtils.outputDOMc14nWithComments
> method, and it returned this result (again, ignore the word-wrapping):
>
>     <e5 a:attr="out" attr="I'm" attr2="all" b:attr="sorted"
> xmlns="http://example.org" xmlns:a="http:
> //www.w3.org" xmlns:b="http://www.ietf.org"></e5>
>
> The second problem is that in the spec, empty xmlns attributes are
> removed. Thus, this original tag:
>
>     <e6 xmlns="" xmlns:a="http://www.w3.org">
>
> Becomes this, when c14n'd:
>
>     <e6 xmlns:a="http://www.w3.org">
>
> The XMLUtils.outputDOMc14nWithComments method does not remove the
> redundant xmlns attribute:
>
>     <e6 xmlns="" xmlns:a="http://www.w3.org">
>
> The code I used to obtain all of this output is attached.
>
> --
> James Reeves
> http://www.hybridfour.com
>
>
>
> import java.io.StringReader;
>
> import javax.xml.parsers.DocumentBuilder;
> import javax.xml.parsers.DocumentBuilderFactory;
>
> import org.apache.xml.security.utils.XMLUtils;
> import org.w3c.dom.Document;
> import org.xml.sax.InputSource;
>
> public class XmlC14nTest
> {
>         public static void main(String[] args) throws Exception
>         {
>                 org.apache.xml.security.Init.init();
>
>                 String xml = "<!DOCTYPE doc [<!ATTLIST e9 attr CDATA \"default\">]>\n" +
>                                         "<doc>\n" +
>                                         "   <e1   />\n" +
>                                         "   <e2   ></e2>\n" +
>                                         "   <e3   name = \"elem3\"   id=\"elem3\"   />\n" +
>                                         "   <e4   name=\"elem4\"   id=\"elem4\"   ></e4>\n" +
>                                         "   <e5 a:attr=\"out\" b:attr=\"sorted\" attr2=\"all\" attr=\"I'm\"\n" +
>                                         "      xmlns:b=\"http://www.ietf.org\"\n" +
>                                         "      xmlns:a=\"http://www.w3.org\"\n" +
>                                         "      xmlns=\"http://example.org\"/>\n" +
>                                         "   <e6 xmlns=\"\" xmlns:a=\"http://www.w3.org\">\n" +
>                                         "      <e7 xmlns=\"http://www.ietf.org\">\n" +
>                                         "         <e8 xmlns=\"\" xmlns:a=\"http://www.w3.org\">\n" +
>                                         "            <e9 xmlns=\"\" xmlns:a=\"http://www.ietf.org\"/>\n" +
>                                         "         </e8>\n" +
>                                         "      </e7>\n" +
>                                         "   </e6>\n" +
>                                         "</doc>\n";
>
>                 DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
>
>                 Document document = builder.parse(new InputSource(new StringReader(xml)));
>
>                 XMLUtils.outputDOMc14nWithComments(document, System.out);
>         }
> }
>
>
>


--
http://r-bg.com